Oracle's Latest Security Patch for Java Not 100% Foolproof

Last week, Oracle released an out-of-band emergency update to address vulnerability issues in its Java software framework. However, its efforts seemed in vain as security researchers pointed out that new vulnerabilities had been found as the patch failed to address the root cause of the problem.

As reported by Threadpost, Java security researcher Adam Gowdiak of Security Explorations in Poland said that the recent version of Java 7 Update 11 failed to address a vulnerability in the Java MBeanInstantiator class had not been patched as promised by Oracle. This vulnerability lead Mr. Gowdiak to look for further security loopholes that may exploited by hackers who have deep working knowledge of the software framework.

“Leaving MBeanInstantiator issue unfixed was like an invitation to hack Java again. All that was required was to find another bug that could be combined with it,” Gowdiak said. “We have however decided not to rely on that unfixed bug and decided to find two completely new ones instead.”

Besides attempting to fix the security vulnerabilities, Oracle also raised the default security settings from medium to high when running Java applets in the browser environment, meaning that unsigned Java applets, or self-signed applets, would require user permission before execution. Despite the company's effort, Threadpost has reported that there are calls by security experts for Java to be abandoned.

As a precaution, we highly recommend that the reader update any Java installation that he may have on his PC to the latest version here. Next, proceed to disable the Java plug-in for your browser as security experts have recommended that Java users use the software framework on an on-demand basis, i.e., only when turn on the Java plug-in when the website requires it. For readers who are certain that they don't need to execute Java applets for their surfing experience, uninstall the affected Java software framework from their PCs is also another option recommended by security experts.